[PATCH v4 8/30] landlock: Add AUDIT_LANDLOCK_DENY and log ptrace denials
Paul Moore
paul at paul-moore.com
Thu Jan 16 20:00:45 UTC 2025
On Thu, Jan 16, 2025 at 5:49 AM Mickaël Salaün <mic at digikod.net> wrote:
> On Wed, Jan 15, 2025 at 06:53:06PM -0500, Paul Moore wrote:
> > On Jan 8, 2025 =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= <mic at digikod.net> wrote:
...
> > > The next patch
> > > series will also contain a new kind of audit rule to specifically
> > > identify the origin of the policy that created this denied event, which
> > > should make more sense.
> >
> > Generally speaking audit only wants to support a small number of message
> > types dedicated to a specific LSM. If you're aware of additional message
> > types that you plan to propose in a future patchset, it's probably a
> > time to discuss those now.
>
> The only other audit record type I'm thinking about would be one
> dedicated to "potentially denied access", something similar to SELinux's
> permissive mode.
In this case the "audit way" to handle this would be to add a
"permissive=[0|1]" field, or similar, to the AUDIT_LANDLOCK_ACCESS
message. If this is something you are definitely going to add to
Landlock, I might suggest adding the "permissive=" field now so it is
present from the start.
--
paul-moore.com
More information about the Linux-security-module-archive
mailing list